Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

How to use rex command to extract two fields and chart the count for both in one search query?

0

Hello!I've recently learned to create a field using the rex command and now I'm trying to modify it to create two fields. I'll give an example to show what I'm trying to do:

Suppose a log file contains logs of the form: "...Login failed for user..." and "... Login succeeded for user..." What I would like to do would be to get a count of each one and compare them to each other either in a table or using a bar chart.

The following query will give a count to the number of times succeeded is found. A similar thing can be done for 'failed' attempts, however how do I combine it into one string so that I can get data that I can look at side by side. My question is two fold:

How can I join queries so that I only have 1 query?

How can I compare them together/next to each other?

Unfortunately, I don't have access to the props folder to be able to create fields by default.

People who like this

2 Answers

If your events look like "Login failed for user bob" vs. "Login succeeded for user carol", then you can capture two fields at once within the same regex by something like this:

rex "Login (?<action><BACKSLASH>w+) for user (?<user><BACKSLASH>w+)"

This would capture both "action" as "succeeded" or "failed" and the "username" field with the value of the user's login name.

You could then, say "timechart count by action", differentiating by the value of the action field. Alternately, "timechart count by user" would show attempts (whether successful or not) by each user.Finally, you could also do chart count OVER user BY action. Try it out.

Thanks for the replies! I feel that I have a better understanding at what is going on. When I used Chris’s code and got a ‘No results found. Inspect’ error message. I think that may just be a syntax error and so I simplified the code. When I did so gained a better idea of what the issue is. In the following example I am going to stick with trying to create a field call action with two options: succeeded and failed. I will not worry about the user field.

This search gives 48 results each of the form: ‘TIMESTAMP [NUMBER] Login succeeded/failed for user: USER’. I can see that I do have valid logs. I should be picking up values for action, but the action field is not listed in the right hand sidebar (even if I select ‘view all’)However, if I insert the below code

The field user is listed on the right hand sidebar and has 4 values. It appears to be working as it should. If I remove the second ‘.*’ from the code, the user field only has 1 value which is blank. The last two codes are very similar, but the differences are causing the former to break and the latter to work.

Sorry for the information overload. Does anyone have any advice? Thanks in advance!

You'll want to look at a regular expression tool to validate your capture groups. I like regexr; it has both a web form mode as well as a standalone app I can use on my mac. I suspect that simply the capture group is not matching the event string correctly.

The forum doesn't seem to be correctly displaying the backslash character, but you'll need a backslash in front of your w+ in the regular expression to capture "one or more word characters". The literal . in your user regex captures any character, including whitespace, so that's why it actually found user data.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.